From d61ff83be977d9622b98f61a49ab3c1ca2db78a1 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Thu, 28 Jun 2012 12:45:49 +0000 Subject: [PATCH] Add new "valid_flags" field to CERT_PKEY structure which determines what the certificate can be used for (if anything). Set valid_flags field in new tls1_check_chain function. Simplify ssl_set_cert_masks which used to have similar checks in it. Add new "cert_flags" field to CERT structure and include a "strict mode". This enforces some TLS certificate requirements (such as only permitting certificate signature algorithms contained in the supported algorithms extension) which some implementations ignore: this option should be used with caution as it could cause interoperability issues. --- CHANGES | 12 +++ apps/s_server.c | 5 ++ ssl/s3_lib.c | 2 + ssl/ssl.h | 17 ++++ ssl/ssl_cert.c | 4 + ssl/ssl_lib.c | 25 ++++-- ssl/ssl_locl.h | 19 ++++- ssl/t1_lib.c | 201 +++++++++++++++++++++++++++++++++++++++++++----- 8 files changed, 258 insertions(+), 27 deletions(-) diff --git a/CHANGES b/CHANGES index 33956e2c18..c690bb3800 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,18 @@ Changes between 1.0.1 and 1.1.0 [xx XXX xxxx] + *) Add new "valid_flags" field to CERT_PKEY structure which determines what + the certificate can be used for (if anything). Set valid_flags field + in new tls1_check_chain function. Simplify ssl_set_cert_masks which used + to have similar checks in it. + + Add new "cert_flags" field to CERT structure and include a "strict mode". + This enforces some TLS certificate requirements (such as only permitting + certificate signature algorithms contained in the supported algorithms + extension) which some implementations ignore: this option should be used + with caution as it could cause interoperability issues. + [Steve Henson] + *) Update and tidy signature algorithm extension processing. Work out shared signature algorithms based on preferences and peer algorithms and print them out in s_client and s_server. Abort handshake if no diff --git a/apps/s_server.c b/apps/s_server.c index e679f3e589..f190d8e0d9 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -959,6 +959,7 @@ int MAIN(int argc, char *argv[]) int badop=0,bugs=0; int ret=1; int off=0; + int cert_flags = 0; int no_tmp_rsa=0,no_dhe=0,no_ecdhe=0,nocert=0; int state=0; const SSL_METHOD *meth=NULL; @@ -1396,6 +1397,8 @@ int MAIN(int argc, char *argv[]) keymatexportlen=atoi(*(++argv)); if (keymatexportlen == 0) goto bad; } + else if (strcmp(*argv, "-cert_strict") == 0) + cert_flags |= SSL_CERT_FLAG_TLS_STRICT; else { BIO_printf(bio_err,"unknown option %s\n",*argv); @@ -1614,6 +1617,7 @@ bad: if (bugs) SSL_CTX_set_options(ctx,SSL_OP_ALL); if (hack) SSL_CTX_set_options(ctx,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG); SSL_CTX_set_options(ctx,off); + if (cert_flags) SSL_CTX_set_cert_flags(ctx, cert_flags); /* DTLS: partial reads end up discarding unread UDP bytes :-( * Setting read ahead solves this problem. */ @@ -1687,6 +1691,7 @@ bad: if (bugs) SSL_CTX_set_options(ctx2,SSL_OP_ALL); if (hack) SSL_CTX_set_options(ctx2,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG); SSL_CTX_set_options(ctx2,off); + if (cert_flags) SSL_CTX_set_cert_flags(ctx2, cert_flags); /* DTLS: partial reads end up discarding unread UDP bytes :-( * Setting read ahead solves this problem. */ diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index dad84dca00..993f6e4f15 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3921,6 +3921,8 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, allow = srvr; } + tls1_set_cert_validity(s); + for (i=0; ireferences, 1, CRYPTO_LOCK_X509); } } + rpk->valid_flags = 0; if (cert->pkeys[i].authz != NULL) { /* Just copy everything. */ @@ -376,6 +377,8 @@ CERT *ssl_cert_dup(CERT *cert) /* Shared sigalgs also NULL */ ret->shared_sigalgs = NULL; + ret->cert_flags = cert->cert_flags; + return(ret); #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH) @@ -428,6 +431,7 @@ void ssl_cert_clear_certs(CERT *c) if (cpk->authz != NULL) OPENSSL_free(cpk->authz); #endif + cpk->valid_flags = 0; } } diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index c291ee274c..b3836b7e68 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1128,6 +1128,10 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg) if (s->s3) return s->s3->send_connection_binding; else return 0; + case SSL_CTRL_CERT_FLAGS: + return(s->cert->cert_flags|=larg); + case SSL_CTRL_CLEAR_CERT_FLAGS: + return(s->cert->cert_flags &=~larg); default: return(s->method->ssl_ctrl(s,cmd,larg,parg)); } @@ -1225,6 +1229,10 @@ long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,void *parg) return 0; ctx->max_send_fragment = larg; return 1; + case SSL_CTRL_CERT_FLAGS: + return(ctx->cert->cert_flags|=larg); + case SSL_CTRL_CLEAR_CERT_FLAGS: + return(ctx->cert->cert_flags &=~larg); default: return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg)); } @@ -2078,21 +2086,21 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) have_ecdh_tmp=(c->ecdh_tmp || c->ecdh_tmp_cb || c->ecdh_tmp_auto); #endif cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]); - rsa_enc= (cpk->x509 != NULL && cpk->privatekey != NULL); + rsa_enc= cpk->valid_flags; rsa_enc_export=(rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl); cpk= &(c->pkeys[SSL_PKEY_RSA_SIGN]); - rsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL); + rsa_sign= (cpk->valid_flags & CERT_PKEY_SIGN); cpk= &(c->pkeys[SSL_PKEY_DSA_SIGN]); - dsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL); + dsa_sign= (cpk->valid_flags & CERT_PKEY_SIGN); cpk= &(c->pkeys[SSL_PKEY_DH_RSA]); - dh_rsa= (cpk->x509 != NULL && cpk->privatekey != NULL); + dh_rsa= cpk->valid_flags; dh_rsa_export=(dh_rsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl); cpk= &(c->pkeys[SSL_PKEY_DH_DSA]); /* FIX THIS EAY EAY EAY */ - dh_dsa= (cpk->x509 != NULL && cpk->privatekey != NULL); + dh_dsa= cpk->valid_flags; dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl); cpk= &(c->pkeys[SSL_PKEY_ECC]); - have_ecc_cert= (cpk->x509 != NULL && cpk->privatekey != NULL); + have_ecc_cert= cpk->valid_flags; mask_k=0; mask_a=0; emask_k=0; @@ -2174,13 +2182,16 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) */ if (have_ecc_cert) { + cpk = &c->pkeys[SSL_PKEY_ECC]; + x = cpk->x509; /* This call populates extension flags (ex_flags) */ - x = (c->pkeys[SSL_PKEY_ECC]).x509; X509_check_purpose(x, -1, 0); ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ? (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1; ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ? (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1; + if (!(cpk->valid_flags & CERT_PKEY_SIGN)) + ecdsa_ok = 0; ecc_pkey = X509_get_pubkey(x); ecc_pkey_size = (ecc_pkey != NULL) ? EVP_PKEY_bits(ecc_pkey) : 0; diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 16fa943648..a2fe6ba7eb 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -466,6 +466,14 @@ #define NAMED_CURVE_TYPE 3 #endif /* OPENSSL_NO_EC */ +/* Values for valid_flags in CERT_PKEY structure */ +/* Certificate inconsistent with session, key missing etc */ +#define CERT_PKEY_INVALID 0x0 +/* Certificate can be used with this sesstion */ +#define CERT_PKEY_VALID 0x1 +/* Certificate can also be used for signing */ +#define CERT_PKEY_SIGN 0x2 + typedef struct cert_pkey_st { X509 *x509; @@ -483,6 +491,11 @@ typedef struct cert_pkey_st unsigned char *authz; size_t authz_length; #endif + /* Set if CERT_PKEY can be used with current SSL session: e.g. + * appropriate curve, signature algorithms etc. If zero it can't be + * used at all. + */ + int valid_flags; } CERT_PKEY; typedef struct cert_st @@ -514,7 +527,8 @@ typedef struct cert_st /* Select ECDH parameters automatically */ int ecdh_tmp_auto; #endif - + /* Flags related to certificates */ + unsigned int cert_flags; CERT_PKEY pkeys[SSL_PKEY_NUM]; /* signature algorithms peer reports: e.g. supported signature @@ -1178,6 +1192,9 @@ const EVP_MD *tls12_get_hash(unsigned char hash_alg); int tls1_set_sigalgs_list(CERT *c, const char *str); int tls1_set_sigalgs(CERT *c, const int *salg, size_t salglen); +int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, + int idx); +void tls1_set_cert_validity(SSL *s); #endif EVP_MD_CTX* ssl_replace_hash(EVP_MD_CTX **hash,const EVP_MD *md) ; diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 88f70d73bf..add105d272 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -539,24 +539,38 @@ static int tls1_check_ec_key(SSL *s, } return 1; } -/* Check EC server key is compatible with client extensions */ -int tls1_check_ec_server_key(SSL *s) + +/* Check cert parameters compatible with extensions: currently just checks + * EC certificates have compatible curves and compression. + */ +static int tls1_check_cert_param(SSL *s, X509 *x) { - int rv; - CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC; - EVP_PKEY *pkey; unsigned char comp_id, curve_id[2]; - if (!cpk->x509 || !cpk->privatekey) - return 0; - pkey = X509_get_pubkey(cpk->x509); + EVP_PKEY *pkey; + int rv; + pkey = X509_get_pubkey(x); if (!pkey) return 0; + /* If not EC nothing to do */ + if (pkey->type != EVP_PKEY_EC) + { + EVP_PKEY_free(pkey); + return 1; + } rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec); EVP_PKEY_free(pkey); if (!rv) return 0; return tls1_check_ec_key(s, curve_id, &comp_id); } +/* Check EC server key is compatible with client extensions */ +int tls1_check_ec_server_key(SSL *s) + { + CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC; + if (!cpk->x509 || !cpk->privatekey) + return 0; + return tls1_check_cert_param(s, cpk->x509); + } /* Check EC temporary key is compatible with client extensions */ int tls1_check_ec_tmp_key(SSL *s) { @@ -3050,24 +3064,30 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) } } - /* Set any remaining keys to default values. NOTE: if alg is not - * supported it stays as NULL. + /* In strict mode leave unset digests as NULL to indicate we can't + * use the certificate for signing. */ + if (!(s->cert->cert_flags & SSL_CERT_FLAG_TLS_STRICT)) + { + /* Set any remaining keys to default values. NOTE: if alg is + * not supported it stays as NULL. + */ #ifndef OPENSSL_NO_DSA - if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) - c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); + if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) + c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); #endif #ifndef OPENSSL_NO_RSA - if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) - { - c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); - c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); - } + if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) + { + c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); + c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); + } #endif #ifndef OPENSSL_NO_ECDSA - if (!c->pkeys[SSL_PKEY_ECC].digest) - c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); + if (!c->pkeys[SSL_PKEY_ECC].digest) + c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); #endif + } return 1; } @@ -3360,4 +3380,147 @@ int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen) return 0; } +static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid) + { + int sig_nid; + size_t i; + if (default_nid == -1) + return 1; + sig_nid = X509_get_signature_nid(x); + if (default_nid) + return sig_nid == default_nid ? 1 : 0; + for (i = 0; i < c->shared_sigalgslen; i++) + if (sig_nid == c->shared_sigalgs[i].signandhash_nid) + return 1; + return 0; + } + +/* Check certificate chain is consistent with TLS extensions and is + * usable by server. + */ +int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, + int idx) + { + int i; + int rv = CERT_PKEY_INVALID; + CERT_PKEY *cpk = NULL; + CERT *c = s->cert; + if (idx != -1) + { + cpk = c->pkeys + idx; + x = cpk->x509; + pk = cpk->privatekey; + chain = cpk->chain; + /* If no cert or key, forget it */ + if (!x || !pk) + goto end; + } + else + { + idx = ssl_cert_type(x, pk); + if (idx == -1) + goto end; + } + + /* Check all signature algorithms are consistent with + * signature algorithms extension if TLS 1.2 or later + * and strict mode. + */ + if (TLS1_get_version(s) >= TLS1_2_VERSION + && c->cert_flags & SSL_CERT_FLAG_TLS_STRICT) + { + int default_nid; + unsigned char rsign = 0; + if (c->peer_sigalgs) + default_nid = 0; + /* If no sigalgs extension use defaults from RFC5246 */ + else + { + switch(idx) + { + case SSL_PKEY_RSA_ENC: + case SSL_PKEY_RSA_SIGN: + case SSL_PKEY_DH_RSA: + rsign = TLSEXT_signature_rsa; + default_nid = NID_sha1WithRSAEncryption; + break; + + case SSL_PKEY_DSA_SIGN: + case SSL_PKEY_DH_DSA: + rsign = TLSEXT_signature_dsa; + default_nid = NID_dsaWithSHA1; + break; + + case SSL_PKEY_ECC: + rsign = TLSEXT_signature_ecdsa; + default_nid = NID_ecdsa_with_SHA1; + break; + + default: + default_nid = -1; + break; + } + } + /* If peer sent no signature algorithms extension and we + * have set preferred signature algorithms check we support + * sha1. + */ + if (default_nid > 0 && c->conf_sigalgs) + { + size_t j; + const unsigned char *p = c->conf_sigalgs; + for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) + { + if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign) + break; + } + if (j == c->conf_sigalgslen) + goto end; + } + /* Check signature algorithm of each cert in chain */ + if (!tls1_check_sig_alg(c, x, default_nid)) + goto end; + for (i = 0; i < sk_X509_num(chain); i++) + { + if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), + default_nid)) + goto end; + } + } + + /* Check cert parameters are consistent */ + if (!tls1_check_cert_param(s, x)) + goto end; + /* In strict mode check rest of chain too */ + if (c->cert_flags & SSL_CERT_FLAG_TLS_STRICT) + { + for (i = 0; i < sk_X509_num(chain); i++) + { + if (!tls1_check_cert_param(s, sk_X509_value(chain, i))) + goto end; + } + } + rv = CERT_PKEY_VALID; + + end: + if (cpk) + { + if (rv && cpk->digest) + rv |= CERT_PKEY_SIGN; + cpk->valid_flags = rv; + } + return rv; + } + +/* Set validity of certificates in an SSL structure */ +void tls1_set_cert_validity(SSL *s) + { + tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC); + tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN); + tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN); + tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA); + tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA); + tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC); + } + #endif -- 2.40.0